{ "threat_severity" : "Moderate", "public_date" : "2026-05-10T03:27:00Z", "bugzilla" : { "description" : "PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation", "id" : "2468562", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2468562" }, "cvss3" : { "cvss3_base_score" : "5.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-79", "details" : [ "A flaw was found in PHP, specifically within the PHP-FPM status page. Due to improper sanitation of user data, a remote attacker can craft a malicious URL. When a user views the PHP-FPM status page with this crafted URL, it can lead to the execution of arbitrary JavaScript code (Cross-Site Scripting or XSS) on their machine, potentially compromising their browser session or leading to further attacks." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-06-01T00:00:00Z", "advisory" : "RHSA-2026:22305", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "php:8.2-8100020260521052503.f7998665" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-06-01T00:00:00Z", "advisory" : "RHSA-2026:22142", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "php:8.3-9080020260521113736.9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-06-01T00:00:00Z", "advisory" : "RHSA-2026:22143", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "php:8.2-9080020260521080715.9" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-05-06T00:00:00Z", "advisory" : "RHSA-2026:14125", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "php-main-8.5.6-1.hum1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "php", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "php8.4", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Fix deferred", "package_name" : "php", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "php", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "php:7.4/php", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "php", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Fix deferred", "package_name" : "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Fix deferred", "package_name" : "devspaces/code-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-6735\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6735\nhttps://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv" ], "name" : "CVE-2026-6735", "mitigation" : { "value" : "Restrict network access to the PHP-FPM status page to trusted internal networks or localhost. This can be achieved by configuring web server access controls (e.g., Apache httpd or Nginx) to deny external access to the status page URL. If the PHP-FPM status page functionality is not required, it should be disabled in the PHP-FPM configuration. Any changes to web server or PHP-FPM configuration may require a service reload or restart to take effect.", "lang" : "en:us" }, "csaw" : false }